Fake Zbot Site Poses as CDC H1N1 Flu Vaccine Info

The newest victim of the faux-Web-sites-posing-as-government-pages scam is the Centers for Disease Control and Prevention. In the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organizations, we’re seeing a new scam to infect computers with Trojan-Phisher-Zbot that pretends to be a “Personal H1N1 Vaccination Profile.”

As with the previous scams, dozens of Web servers are involved. The URLs involved in the scheme all begin with the “http://online.cdc.gov” — the “online.” subdomain is not used by the CDC — followed by a six- to seven-character random domain name and a non-.gov top-level domain.

The text of the page reads

Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below

There’s a link labeled “Download Archive (130Kb)” that, when you click it, pulls down the Zbot installer from the malicious server. The file name is vacc_profile.exe. Please don’t execute this file if you happen to download it.

This particularly pernicious program appears to have a perspicacity for FTP passwords. It appears to target several popular Windows FTP and SCP client applications, including SmartFTP, WSFTP, FlashFXP, CoreFTP, FTP Commander, Total Commander, WinSCP, FileZilla, and FAR Manager. If you typically save your FTP credentials in these applications, Zbot will seek them out.

Webroot has implemented procedures to warn you when you visit one of these sites. Anyone using our software who has their File System Shield active will see a warning if you follow a malicious link. If you get this warning message, close the browser window, perform a full sweep of your computer — and change the passwords to any FTP accounts that have been saved in any of the client apps listed above.

You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reache…

[…] that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even […]

[…] that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even […]

[…] seen where the scammer sets up Web sites in the guise of such notable organizations as the IRS, CDC, Visa, and other organizations, or software programs like AOL Instant Messenger and Microsoft […]